To create a keystore in the HSM using clientToolBox, do the following:

  1. A utility called clientToolBox is included with your SignServer Cloud instance.  This utility is usually provided with EJBCA, but has been preloaded onto your SignServer ECE instance for ease.  Create a key called testkey with clientToolBox.  SignServer will use this key for healthcheck and keepalive to the HSM.
    (warning) It is important to run these commands as the wildfly user. This is due to file system access permissions and maintaining the permissions for wildfly to be able to use these keys.
    # su - wildfly
    # /opt/PrimeKey/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048 testKey0001
    CODE
  2. You will be prompted for a password in the format of <HSM_CryptoUser>:<password>
    For example, the following is the PKCS #11 PIN for an HSM crypto user (CU) with user name CryptoUser and password CUPassword123!:

    CryptoUser:CUPassword123!
    CODE
  3. Create one more keys called signKey with the following command:
    # /opt/PrimeKey/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 signKey0001
    CODE